Problem with certbot renewal

FeLoe · June 22, 2018, 11:14am

Dear all,

I need to renew my certificat for my website, but somehow I run into troubles, here are the answers to the general questions:

My domain is: www.3bij3.nl

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.3bij3.nl.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.3bij3.nl
http-01 challenge for 3bij3.nl
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.3bij3.nl) from /etc/letsencrypt/renewal/www.3bij3.nl.conf produced an unexpected error: Failed authorization procedure. www.3bij3.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.3bij3.nl/.well-known/acme-challenge/uJo9XZ_E61EpIw5GjKXJzV2wJVeBVLazoACfMOUiZjI: "

Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini", 3bij3.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://3bij3.nl/.well-known/acme-challenge/DapX28z034TaJTMQRSLinxUBaOeqnnArpZTmKLRgpzU: " Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.3bij3.nl/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.3bij3.nl
Type: unauthorized
Detail: Invalid response from
http://www.3bij3.nl/.well-known/acme-challenge/uJo9XZ_E61EpIw5GjKXJzV2wJVeBVLazoACfMOUiZjI:
"
Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini"
Domain: 3bij3.nl
Type: unauthorized
Detail: Invalid response from
http://3bij3.nl/.well-known/acme-challenge/DapX28z034TaJTMQRSLinxUBaOeqnnArpZTmKLRgpzU:
"
Welkom op 3bij3 <meta name="viewport" content="width=device-width, ini"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: strato.nl

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My nginx configuration is as follows:

server {
# listen on port 80 (http)
listen 80;
server_name _;
location / {
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the certificate                                                                                             
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location / {
        # forward application requests to the gunicorn server                                                                               
                proxy_pass 127.0.0.1:8000;
                        proxy_redirect off;
                                proxy_set_header Host $host;
                                        proxy_set_header X-Real-IP $remote_addr;
                                                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    }
location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
                            }
                            }

I do not know what is not working, please let me know if you need any additional information to help me!

stevenzhu · June 22, 2018, 11:25am

Hi,

You are using a proxy to redirect all queries to backend server, which also redirected the certbot query.

In order for this to work, add the following block before / after the location /

    location ~ /.well-known {
                   allow all;
           }

Thank you

FeLoe · June 22, 2018, 11:32am

Thank you for your fast answer! I added it like this:

server {

listen on port 80 (http)

listen 80;
server_name _;
location / {

redirect any requests to the same URL but on https

return 301 https://$host$request_uri;
}
}
server {

listen on port 443 (https)

listen 443 ssl;
server_name _;

location of the certificate

ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

write access and error logs to /var/log

access_log /var/log/3bij3_access.log;
    error_log /var/log/3bij3_error.log;

location / {
# forward application requests to the gunicorn server
proxy_pass 127.0.0.1:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /static {
# handle static files directly, without forwarding to the application
alias /home/felicia/3bij3/app/static;
expires 30d;
}
}
location ~ /.well-known {
allow all;
}

But it still does not work, I get the same error - or did I insert it at the wrong place?

stevenzhu · June 22, 2018, 11:37am

Hi,

Can you please try placing that block before the first https location block (the proxy one)?

Thank you

FeLoe · June 22, 2018, 11:47am

Hey,

hmm… now it looks like this:

server {
# listen on port 80 (http)
listen 80;
server_name _;
location /
{
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the self-signed SSL certificate                                                                                               
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location ~ /.well-known {
allow all;
}

location / {
# forward application requests to the gunicorn server
proxy_pass 127.0.0.1:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
                            }
                            }

But I still get the same issue and now when I try to reload nginx I get an error saying: nginx: [emerg] invalid URL prefix in /etc/nginx/sites-enabled/3bij3.conf:29

Sorry if I am asking stupid questions, I am completely new to this…

stevenzhu · June 22, 2018, 11:51am

Ok…

That’s a little bit wierd…

Can you check your let’s encrypt renew config? (Why does using webroot produce an 404?)

server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the certificate                                                                                             
    ssl_certificate /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.3bij3.nl/privkey.pem;

# write access and error logs to /var/log                                                                                                   
    access_log /var/log/3bij3_access.log;
        error_log /var/log/3bij3_error.log;

location ~ /.well-known {
              allow all;
}
location / {
        # forward application requests to the gunicorn server                                                                               
                proxy_pass 127.0.0.1:8000;
                        proxy_redirect off;
                                proxy_set_header Host $host;
                                        proxy_set_header X-Real-IP $remote_addr;
                                                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    }
location /static {
        # handle static files directly, without forwarding to the application                                                               
                alias /home/felicia/3bij3/app/static;
                        expires 30d;
             }
  }

FeLoe · June 22, 2018, 11:57am

do you mean this:

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/www.3bij3.nl
cert = /etc/letsencrypt/live/www.3bij3.nl/cert.pem
privkey = /etc/letsencrypt/live/www.3bij3.nl/privkey.pem
chain = /etc/letsencrypt/live/www.3bij3.nl/chain.pem
fullchain = /etc/letsencrypt/live/www.3bij3.nl/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
webroot_path = /var/www/letsencrypt,
account = a711e55840f71576a1fb61013048c7fc
installer = None
[[webroot_map]]
www.3bij3.nl = /var/www/letsencrypt
3bij3.nl = /var/www/letsencrypt

sahsanu · June 22, 2018, 12:45pm

Hi @FeLoe,

Replace this:

location ~ /.well-known {
              allow all;
}

by this:

location ~ /.well-known {
    default_type "text/plain";
    root /var/www/letsencrypt; 
}

Restart nginx and before trying to issue a certificate, first check that you can get a test file:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/
echo "This is a test" >  /var/www/letsencrypt/.well-known/acme-challenge/test

And try to get that file from command line:

curl -ikL http://www.3bij3.nl/.well-known/acme-challenge/test

or using you browser http://www.3bij3.nl/.well-known/acme-challenge/test

If you get the text “This is a test” then go ahead and try to issue your cert.

Good luck,
sahsanu

FeLoe · June 22, 2018, 1:07pm

Hey @sahsanu,

I’ve tried it, but when I do

sudo service nginx reload

it does not work and I get

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

and when looking at journalctl -xe it shows:

nginx: [emerg] invalid URL prefix in /etc/nginx/sites-enabled/3bij3.conf:30

So I cannot restart nginx…

FeLoe · June 22, 2018, 1:37pm

@sahsanu @stevenzhu - found it! Apparently I needed to add http:// before the proxy_pass in nginx (although I never had to do this before) and now everything works! Thank you both so much for your help and time! I have my certificates now

system · July 22, 2018, 1:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.